What is risk culture and why should we care about it?
Enterprise Risk Management (ERM) has been under the spotlight since the 2008 financial crisis, particularly in the financial services sector. The question is often asked, ‘where was ERM?’ Too much focus on process and regulatory compliance has seen ERM devalued.
Risk culture can be seen as part of the answer. Culture in many ways is ‘what staff in your organisation do when you are not watching them’. Risk culture, is therefore values-based and ethically driven rather than based on processes or formal governance. When the chips are down, experience has suggested that culture trumps process every time when it comes to determining whether risk management is successful.
Why does this matter? All organisations have external stakeholders who have considerable influence over how it perceived and its future prospects for success. Since the financial crisis in 2008 public trust in companies has dropped. Regulators have reacted by increasing their scrutiny. Recent examples include the Financial Reporting Council (FRC) guidance on risk management highlighting the board’s responsibility for defining the ‘culture it wishes to embed in the company, and whether this has been achieved’. The Financial Stability Board (FSB) has also issued guidance on how to approach the analysis of risk culture of financial services organisations.
What does this mean in practice for risk functions? It means a need to take a more holistic view of implementing risk management in their organisation. Creating or shaping a more risk aware culture is however potentially the greatest value a risk function can bring to the table in terms of preparing their organisation for the challenges of uncertain and fast-changing environments.
A practical case study outlines how this was applied in practice to a financial services institution to demonstrate the importance of establishing a change management plan for risk culture. The Institute of Risk Management (IRM) has developed a toolkit for diagnosing an organisation’s current risk culture, completing a gap analysis and implementing a structured improvement plan. The case study demonstrates the importance of gaining Board sponsorship for any such programme and ensuring management buy-in to the objectives. This organisation adopted three different tools advocated by the IRM to investigate and drill-down the root causes of the current risk culture. High-level desk-based analysis was supplemented by an employee on-line survey and a small number of structured targeted interviews.
The overall outcome of the project was a report, presented to senior management and the Board outlining areas of strength and weakness in terms of the alignment of culture with corporate values, and a number of practical improvement actions, that could be sponsored by the Committee.
This then enabled a cross-functional team involving Risk Management, Communications, Human Resources to put together a structured change management plan to guide the organisation towards its new culture goals.
An organisation with a risk aware culture is one that is more resilient to external influences and better able to adapt. The benefit of a strong risk culture derives from agile decisions making in terms of the risk and reward of different opportunities. Less unenforced errors arise from a risk aware organisation able to learn from previous events and mistakes and improve its processes in a timely manner.